A working version to block intruderce into warpgate
compose.yml
services:
warpgate:
container_name: warpgate
image: ghcr.io/warp-tech/warpgate
ports:
- 2222:2222
- 127.0.0.1:8888:8888
volumes:
- ./data:/data:Z
- ./sockets:/var/run
stdin_open: true
tty: true
restart: always
environment:
- WARPGATE__WEB__TRUST_PROXY_HEADERS=true
logging:
driver: json-file
options:
max-size: "50m"
max-file: "3"
vector:
image: timberio/vector:latest-alpine
container_name: vector
restart: unless-stopped
depends_on:
- warpgate
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./vector.yaml:/etc/vector/vector.yaml:ro
- /var/log/warpgate:/var/log/warpgate
command: ["--config", "/etc/vector/vector.yaml"]
vector.yaml
sources:
warpgate:
type: docker_logs
include_containers:
- warpgate
transforms:
to_fail2ban:
type: remap
inputs:
- warpgate
source: |
raw = string!(.message)
# ANSI Escape Codes entfernen
msg = replace(raw, r'\x1b\[[0-9;]*m', "")
ok = contains(msg, "WARN HTTP:") &&
contains(msg, "/@warpgate/api/auth/login") &&
contains(msg, "status=401") &&
contains(msg, "client_ip")
if !ok {
abort
}
ts = format_timestamp!(.timestamp, "%Y-%m-%dT%H:%M:%SZ")
parsed = parse_regex!(msg, r'client_ip\s*=\s*(?P[0-9a-fA-F\.:]+)')
ip = parsed.ip
.message = ts + " warpgate login failed ip=" + ip
sinks:
fail2ban_file:
type: file
inputs:
- to_fail2ban
path: "/var/log/warpgate/auth.log"
encoding:
codec: text
/etc/fail2ban/filter.d/warpgate.conf
[Definition] failregex = ^.*warpgate login failed ip=$ ignoreregex =
/etc/fail2ban/jail.d/warpgate.conf
[warpgate] enabled = true filter = warpgate logpath = /var/log/warpgate/auth.log maxretry = 5 findtime = 300 bantime = 300